For lack of a better title. Our environment requires having subdomains where we allow dynamic updates using bind as the DNS server and its nsupdate utility authenticating via keyfiles. We're looking to make this more redundant. Currently we have one primary name server for all of these subdomains and several secondaries for our top level domain, (but not for the subdomains). As an example using bar.com as the TLD and foo.bar.com as the subdomain. The foo.bar.com subdomain zone file would have entries similar to:

NS ns1.bar.com
A 1.2.3.4
MX mx1.bar.com
www A 1.2.3.5

...

and the primary zone file would have entries for 'foo' such as:

foo NS ns1.bar.com

Currently the subdomains are not replicated to other name servers, i.e. ns1 is the only name server that can resolve these even though ns2,ns3,etc. are setup as secondaries for the bar.com domain. Ideas on how to set this up in a more reliable way? If the glue record in the bar.com zone file was removed and multiple NS records setup in each subdomain (and set them up as slaves on secondary name servers) that would help resolve the domains, but it wouldn't help with providing an alternate 'update' server should a subdomain need to be updated. If ns1 was down in this example, how would one allow the nsupdate clients to update their zone and have it replicate to the other name servers as well as when ns1 comes back online? Is this even possible with Bind?

3 Answers
3

BIND9 (again - with appropriate patches) is able to use LDAP database as backend. Fedora and RHEL 6.4+ contain patched BIND with LDAP support, if you want to try it.

Multi-master operation with LDAP backend is possible, each DNS master server counts own serial number and advertises itself as master (in SOA master name), so updates from clients are distributed to all servers. Data replication is handled at LDAP level in this case.

Described multi-master DNS is used in FreeIPA project. FreeIPA can set replicated LDAP environment for you. (Integrated/replicated/multi-master DNS comes with FreeIPA as bonus, main focus of FreeIPA is Identity Management.)

There's no mechanism in the DNS protocol (let alone in BIND) to allow dynamic updates received on different "masters" to be merged and replicated to multiple slaves (and the primary "master" when it comes up).

You either have to stick with the supported "one master, multiple secondary" model with dynamic updates and IXFR, or use some form of out-of-band mechanism to update all of your servers.

Maybe it will help - BIND can use MySQL as backend (you will possibly need to recompile it with the right option enabled), and MySQL have Cluster edition (free one too) which is kinda multi-master. Maybe it can be combined together to achieve you needs... also there's PowerDNS which also can use SQL as backend.